From this article "Phishers target frequent flyer schemes in Brazil" (excepts extracted, read the article for the full horror ):

"Phishing fraudsters have latched on to a new target, with attacks designed to gain compromised access to frequent flyer accounts.

.....

Brazilian phishers running the scam have registered multiple domains that resemble those of airline firms. Some of the attacks rely on a first wave of Trojan infections that makes sure that surfers using compromised machines are redirected to bogus domains, net security firm Kaspersky Lab warns.

Local victims are beginning to come forward, complaining that their accounts have been plundered in order to issue tickets to unknown parties. One victim claims to have lost air miles valued at $7,600, a figure that seems rather high.

.....

Phishing scams are most commonly targeted against PayPal, online banking accounts, or (less frequently) e-commerce website accounts. Attacks against air miles programmes are a much more recent innovation, with one of the first attacks of its kind appearing last month, targeted against the loyalty programme of a German airline. The scam used a variant of the SpyEye banking Trojan.
....."

Amusing that the article thinks $7,600 is an un-realistic figure for the value of someones FF account, they obviously don't real FT!

I'd imagine that computers in airline lounges would be a prime target for this kind of hack, as they are relatively easy to infect, and very likely to have people logging on to check their FF accounts (or, indeed itineraries bookings etc. since it's generally the same account you need to do both!).

Standard advice in these situations is to intentionally get your password WRONG if you have any concerns. Possibly even use an intentionally wrong FF number. Any website that will log you in with known wrong credentials has to be bogus, as only the real website actually knows what your credentials are to say they are wrong. I fear many of us would be well advised to get into the habit of doing this when using PCs that we don't trust inherently.....

As they used to say on Hill St. Blues:

"Hey, lets be careful out there!"

Ken.

Willard the Bear - Anyone who tries to steal my (Ouch! Sorry, Ken's) miles will have a face full of fur if I catch them!!!

This advice will not work if the infection is just doing key logging. The key log will just show an incorrect password followed by the correct credentials.

Wouldn't it just log you in even if you password was wrong?

If a key logger in installed on your machine, everything will seem to work fine, execpt everything you type will be logged and transmitted to the maker of such malware.

If it's just a fake website then it'll probably let you in no matter what you typed, more likely do nothing at all after you hit submit.

This advice is really not very good. Any decent hacker's fake website will pass on whatever you type to the real one and display whatever the real site would display; all the while logging your userid and password. Hackers don't want to do anything that will alert you to their activity and they are very, very clever.

Agree totally! However the article describes a situation where the users browsing activity is being re-directed to a fake version of a legitimate airline website, either via a trojan on the local machine hijacking the DNS requests, or, by extension (presumably) via any one of the long a varied list of DNS hijack technologies that are in use.

Not sure if I agree quite so much here, there are various risks and problems with doing this in the real world, and the effort of doing a pass-through of the credentials to the real site probably isn't worth it for the (sadly) small number of people who would notice the difference. I agree Hackers ain't stupid, but they do understand the 80-20 rule, and they also don't like generating traffic that makes them look suspicious.

However, zooming out from the original threat (which is more of a general concern, as once the illicit hacking market has discovered the value of FF miles, you can be sure that they will be coming up with many many more ways of trying to fool us!), here is a full set of security advice, some or all of which may be useful dependent on your level of paranoia:

If at all possible, always use your own device to access the internet whilst you are away from your own controlled environment. Take sensible security precautions dependent on the device in question (i.e. anti-virus/anti-malware for Windows/Mac-OS machines, sensible security model for Linux machines -don't log in as root and browse the internet, and use of common sense for other devices - don't download dross onto your working tablet/phone). If you absolutely have to use a shared/lounge/hotel/cafe PC, then only use either one-time or two-factor authentication, and, even then, consider carefully the risk/benefit ratio, as these types of login are still subject to MITM attacks as ably described by uszkanni.

If at all possible, use your own, trusted means to access the internet when doing things that require sensitive logins - 3G Dongles are pretty cheap these days, and are a lot more secure than WiFi networks, and often a lot cheaper than the hotel internet service too....

Have a healthy scepticism of shared use WiFi networks - especially in areas where you do not expect them. Fake WiFi Hotspots and DHCP and DNS hijacking attacks mean that you can very easily have your traffic intercepted or redirected. In a perfect world, you should only use a "public" internet connection to establish a VPN connection back to a known trustworthy server, and then all of your traffic (DNS included!!) should go via this server. Sadly, we don't live in a perfect world, so the best alternative advice is to only use secure protocols to connect via insecure networks, check certificates for secure websites and do not ignore security warnings from your browser.

Consider using extensions like NoScript for Firefox that block all attempts to remotely execute code via the web. True, they make the web a bit more complicated to use, but, really, do you want every website in the world to be able to run scripts on your local machine??

For myself, I carry a netbook (that runs Ubuntu), use a 3G dongle for network access in the UK and NZ, do secure access to my local network via SSH tunnels (mutually authenticated by public/private key), and have ....... and NoScript installed and active by default. One of these days I'll go over to either one-time or 2-factor logins, when I've found a solution I like (probably not SecureID, given the recent bad-publicity).

At a time when we're being forced by airlines to do more and more on the web, it's a real shame that sat in an airport or hotel is probably one of the least secure environments to be doing it in.....

Willard the Bear - Checking E-Mail? Airline Websites? I have a flunky to do that kind of thing for me!